Posted
by
BeauHDon Friday December 09, 2016 @08:25PM
from the buyer-beware dept.

An anonymous reader writes from a report via BleepingComputer: The security protocol that governs how virtual machines share data on a host system powered by AMD Zen processors has been found to be insecure, at least in theory, according to two German researchers. The technology, called Secure Encrypted Virtualization (SEV), is designed to encrypt parts of the memory shared by different virtual machines on cloud servers. AMD, who plans to ship SEV with its upcoming line of Zen processors, has published the technical documentation for the SEV technology this past April. The German researchers have analyzed the design of SEV, using this public documentation, and said they managed to identify three attack channels, which work, at least in theory.

[In a technical paper released over the past weekend, the researchers described their attacks:] "We show how a malicious hypervisor can force the guest to perform arbitrary read and write operations on protected memory. We describe how to completely disable any SEV memory protection configured by the tenant. We implement a replay attack that uses captured login data to gain access to the target system by solely exploiting resource management features of a hypervisor." AMD is scheduled to ship SEV with the Zen processor line in the first quarter of 2017.

Posted
by
BeauHDon Friday December 09, 2016 @04:40PM
from the access-denied dept.

An anonymous reader quotes a report from CyberScoop: Georgia's secretary of state has claimed the Department of Homeland Security tried to breach his office's firewall and has issued a letter to Homeland Security Secretary Jeh Johnson asking for an explanation. Brian Kemp issued a letter to Johnson on Thursday after the state's third-party cybersecurity provider detected an IP address from the agency's Southwest D.C. office trying to penetrate the state's firewall. According to the letter, the attempt was unsuccessful. The attempt took place on Nov. 15, a few days after the presidential election. The office of the Georgia Secretary of State is responsible for overseeing the state's elections. "At no time has my office agreed to or permitted DHS to conduct penetration testing or security scans of our network," Kemp wrote in the letter, which was also sent to the state's federal representatives and senators. "Moreover, your department has not contacted my office since this unsuccessful incident to alert us of any security event that would require testing or scanning of our network. This is especially odd and concerning since I serve on the Election Cyber Security Working Group that your office created." "The Department of Homeland Security has received Secretary Kemp's letter," a DHS spokesperson told CyberScoop. "We are looking into the matter. DHS takes the trust of our public and private sector partners seriously, and we will respond to Secretary Kemp directly." Georgia was one of two states that refused cyber-hygiene support and penetration testing from DHS in the leadup to the presidential election. The department had made a significant push for it after hackers spent months exposing the Democratic National Committee's internal communications and data.

Posted
by
msmash
on Friday December 09, 2016 @04:00PM
from the cutting-ties dept.

Police have now one less tool to monitor users on Twitter. The Daily Dot is reporting that Twitter has cut ties with a third-party social network surveillance firm, citing company policies intended to safeguard users against the surreptitious collection of data by law enforcement agencies. From the report: The severed contract follows Twitter nullifying the commercial data agreements of two other leading social-network-surveillance firms, Geofeedia and Snaptrends. Previously unreported, Twitter severed the access of Media Sonar, an Ontario-based company founded in 2012, which has sold surveillance software to police departments across the United States. Nineteen local government services are known to have each spent at least $10,000 on the software between 2014 and 2016, according to documents acquired under state open-records laws. Twitter informed the Daily Dot this week that it had terminated Media Sonar's access to its public API in October. If the company attempts to create other API keys, Twitter said, "we will terminate those as well and take further action as appropriate."

Posted
by
BeauHDon Thursday December 08, 2016 @09:05PM
from the top-10 dept.

What may come as no surprise to Facebook users, the social media company announced in a blog post that the U.S. presidential election was the most "talked about" topic on Facebook in 2016. Phys.Org highlights the other most-discussed topics in its report: The bitterly contested election in which Donald Trump defeated Hillary Clinton was ranked as the leading issue, followed by Brazil's political developments which included the impeachment of president Dilma Rousseff, Facebook said in a blog post. On the lighter side at number three was the runaway success of Pokemon Go, the location-based augmented reality game for smartphone users.
Other subject matters shared among Facebook's 1.79 billion users were more sober, with the fourth leading topic the "Black Lives Matter" movement, followed by the election in the Philippines of Rodrigo Duterte. Number six on the list was the Olympic games, followed by Brexit, the Super Bowl and the deaths of rock star David Bowie and boxing icon Muhammad Ali. Facebook said it measured leading topics by how frequently an issue was mentioned in posts made between January 1 and November 27.

Posted
by
BeauHDon Thursday December 08, 2016 @07:05PM
from the always-listening dept.

The Center for Digital Democracy has filed a complaint with the Federal Trade Commission warning of security and privacy holes associated with a pair of smart toys designed for children. Mashable reports: "This complaint concerns toys that spy," reads the complaint, which claims the Genesis Toys' My Friend Cayla and i-QUE Intelligent Robot can record and collect private conversations and offer no limitations on the collection and use of personal information. Both toys use voice recognition, internet connectivity and Bluetooth to engage with children in conversational manner and answer questions. The CDD claims they do all of this in wildly insecure and invasive ways. Both My Friend Cayla and i-QUE use Nuance Communications' voice-recognition platform to listen and respond to queries. On the Genesis Toy site, the manufacturer notes that while "most of Cayla's conversational features can be accessed offline," searching for information may require an internet connection. The promotional video for Cayla encourages children to "ask Cayla almost anything." The dolls work in concert with mobile apps. Some questions can be asked directly, but the toys maintain a constant Bluetooth connection to the dolls so they can also react to actions in the app and even appear to identify objects the child taps on on screen. While some of the questions children ask the dolls are apparently recorded and sent to Nuance's servers for parsing, it's unclear how much of the information is personal in nature. The Genesis Privacy Policy promises to anonymize information. The CDD also claims, however, that My Friend Cayla and i-Que employ Bluetooth in the least secure way possible. Instead of requiring a PIN code to complete pairing between the toy and a smartphone or iPad, "Cayla and i-Que do not employ... authentication mechanisms to establish a Bluetooth connection between the doll and a smartphone or tablet. The dolls do not implement any other security measure to prevent unauthorized Bluetooth pairing." Without a pairing notification on the toy or any authentication strategy, anyone with a Bluetooth device could connect to the toys' open Bluetooth networks, according to the complaint.

Posted
by
BeauHDon Thursday December 08, 2016 @06:25PM
from the money-back-guaranteed dept.

An anonymous reader quotes a report from Network World: Some 2.7 million ATT customers will share $88 million in compensation for having had unauthorized third-party charges added to their mobile bills, the Federal Trade Commission announced this morning. The latest shot in the federal government's years-long battle against such abuses, these refunds will represent the most money ever recouped by victims of what is known as "mobile cramming," according to the FTC. From an FTC press release: "Through the FTC's refund program, nearly 2.5 million current ATT customers will receive a credit on their bill within the next 75 days, and more than 300,000 former customers will receive a check. The average refund amount is $31. [...] According to the FTC's complaint, ATT placed unauthorized third-party charges on its customers' phone bills, usually in amounts of $9.99 per month, for ringtones and text message subscriptions containing love tips, horoscopes, and 'fun facts.' The FTC alleged that ATT kept at least 35 percent of the charges it imposed on its customers." The matter with ATT was originally made public in 2014 and also involved two companies that actually applied the unauthorized charges, Tatto and Acquinity.

Posted
by
BeauHDon Thursday December 08, 2016 @05:05PM
from the level-the-playing-field dept.

Congress passed a bill yesterday that will make it illegal for people to use software bots to buy concert tickets. Ars Technica reports: The Better Online Ticket Sales (BOTS) Act makes it illegal to bypass any computer security system designed to limit ticket sales to concerts, Broadway musicals, and other public events with a capacity of more than 200 persons. Violations will be treated as "unfair or deceptive acts" and can be prosecuted by the Federal Trade Commission or the states. The bill passed the Senate by unanimous consent last week, and the House of Representatives voted yesterday to pass it as well. It now proceeds to President Barack Obama for his signature. Computer programs that automatically buy tickets have been a frustration for the concert industry and fans for a few years now. The issue had wide exposure after a 2013 New York Times story on the issue. Earlier this year, the office of New York Attorney General Eric Schneiderman completed an investigation into bots. The New York AG's ticket sales report (PDF) found that the tens of thousands of tickets snatched up by bots were marked up by an average of 49 percent.

Posted
by
BeauHDon Wednesday December 07, 2016 @10:30PM
from the face-mask dept.

Paris has barred some cars from its streets and has made public transportation free as it suffers from the worst and most prolonged winter pollution for at least 10 years, the Airparif agency said on Wednesday. The Independent reports: Authorities have said only drivers with odd-numbered registration plates can drive in the capital region on Wednesday. Drivers of even-numbered cars were given the same opportunity on Tuesday, but could now be fined up to 35 EUR if they are caught behind the wheel. More than 1,700 motorists were fined for violations on Tuesday. Paris mayor Anne Hidalgo said images of smog blanketing the capital were proof of the need to reduce vehicle use in the city center. The air pollution peak is due to the combination of emissions from vehicles and from domestic wood fires as well as near windless conditions which means pollutants have not been dispersed, the Airparif agency said. "This is a record period (of pollution) for the last 10 years," Karine Leger of AirParif told AFP by telephone. For more than a week, Airparif has published readings of PM10 at more than 80 micrograms per cubic meter of air particles, triggering the pollution alert. Along with odd-numbered cars, hybrid or electric vehicles as well as those carrying three or more people will be allowed to roam the roads. Foreign and emergency vehicles will be unaffected.

Posted
by
BeauHDon Wednesday December 07, 2016 @07:45PM
from the can-you-hear-me-now dept.

An anonymous reader quotes a report from Reuters: American and British spies have since 2005 been working on intercepting phone calls and data transfers made from aircraft, France's Le Monde newspaper reported on Wednesday, citing documents from former U.S. spy agency contractor Edward Snowden. According to the report, also carried by the investigative website The Intercept, Air France was targeted early on in the projects undertaken by the U.S. National Security Agency (NSA) and its British counterpart, GCHQ, after the airline conducted a test of phone communication based on the second-generation GSM standard in 2007. That test was done before the ability to use phones aboard aircraft became widespread. "What do the President of Pakistan, a cigar smuggler, an arms dealer, a counterterrorism target, and a combatting proliferation target have in common? They all used their everyday GSM phone during a flight," the reports cited one NSA document from 2010 as saying. In a separate internal document from a year earlier, the NSA reported that 100,000 people had already used their mobile phones in flight as of February 2009, a doubling in the space of two months. According to Le Monde, the NSA attributed the increase to "more planes equipped with in-flight GSM capability, less fear that a plane will crash due to making/receiving a call, not as expensive as people thought." Le Monde and The Intercept also said that, in an internal presentation in 2012, GCHQ had disclosed a program called "Southwinds," which was used to gather all the cellular activity, voice communication, data, metadata and content of calls made on board commercial aircraft.

Posted
by
BeauHDon Wednesday December 07, 2016 @07:05PM
from the bug-bounty dept.

Mickeycaskill writes: Nintendo will pay up to $20,000 for system and software vulnerabilities in the Nintendo 3DS family of handheld gaming consoles. The company is looking to prevent activities such as piracy, cheating and the circulation of inappropriate content to children. The stated goal is to "provide a secure environment for our customers so that they can enjoy our games and services. In order to achieve this goal, Nintendo is interested in receiving vulnerability information that researchers may discover regarding Nintendo's platforms." Silicon.co.uk reports: "Rewards will range from $100 to $20,000, with one given per 'qualifying piece of vulnerability information.' Hackers looking to claim a reward will have to provide Nintendo with either a proof-of-concept or a piece of functional exploit code in order to qualify."

Posted
by
msmash
on Wednesday December 07, 2016 @01:00PM
from the tit-for-tat dept.

An Oregon District Court has sided with a wrongfully accused man who was sued for allegedly downloading a pirated copy of the Adam Sandler movie "The Cobbler." According to the court's recommendations, reports TorrentFreak, the man is entitled to more than $17,000 in compensation as the result of the filmmakers "overaggressive" and "unreasonable" tactics. From the article: The defendant in question, Thomas Gonzales, operates an adult foster care home where several people had access to the Internet. The filmmakers were aware of this and during a hearing their counsel admitted that any guest could have downloaded the film. [...] "The Court finds that once Plaintiff learned that the alleged infringement was taking place at an adult group care home at which Gonzales did not reside, Plaintiff's continued pursuit of Gonzales for copyright infringement was objectively unreasonable," Judge Beckerman ruled. "The Court shares Gonzales' concern that Plaintiff is motivated, at least in large part, by extracting large settlements from individual consumers prior to any meaningful litigation. "On balance, the Court has concerns about the motivation behind Plaintiff's overaggressive litigation of this case and other cases, and that factor weighs in favor of fee shifting."

Posted
by
msmash
on Wednesday December 07, 2016 @12:20PM
from the security-woes dept.

Many network security cameras made by Sony could be taken over by hackers and infected with botnet malware if their firmware is not updated to the latest version. Researchers from SEC Consult have found two backdoor accounts that exist in 80 models of professional Sony security cameras, mainly used by companies and government agencies given their high price, PCWorld reports. From the article: One set of hard-coded credentials is in the Web interface and allows a remote attacker to send requests that would enable the Telnet service on the camera, the SEC Consult researchers said in an advisory Tuesday. The second hard-coded password is for the root account that could be used to take full control of the camera over Telnet. The researchers established that the password is static based on its cryptographic hash and, while they haven't actually cracked it, they believe it's only a matter of time until someone does. Sony released a patch to the affected camera models last week.

Posted
by
BeauHDon Tuesday December 06, 2016 @08:25PM
from the hidden-in-plain-sight dept.

An anonymous reader quotes a report from BleepingComputer: For the past two months, a new exploit kit has been serving malicious code hidden in the pixels of banner ads via a malvertising campaign that has been active on several high profile websites. Discovered by security researchers from ESET, this new exploit kit is named Stegano, from the word steganography, which is a technique of hiding content inside other files. In this particular scenario, malvertising campaign operators hid malicious code inside PNG images used for banner ads. The crooks took a PNG image and altered the transparency value of several pixels. They then packed the modified image as an ad, for which they bought ad displays on several high-profile websites. Since a large number of advertising networks allow advertisers to deliver JavaScript code with their ads, the crooks also included JS code that would parse the image, extract the pixel transparency values, and using a mathematical formula, convert those values into a character. Since images have millions of pixels, crooks had all the space they needed to pack malicious code inside a PNG photo. When extracted, this malicious code would redirect the user to an intermediary ULR, called gate, where the host server would filter users. This server would only accept connections from Internet Explorer users. The reason is that the gate would exploit the CVE-2016-0162 vulnerability that allowed the crooks to determine if the connection came from a real user or a reverse analysis system employed by security researchers. Additionally, this IE exploit also allowed the gate server to detect the presence of antivirus software. In this case, the server would drop the connection just to avoid exposing its infrastructure and trigger a warning that would alert both the user and the security firm. If the gate server deemed the target valuable, then it would redirect the user to the final stage, which was the exploit kit itself, hosted on another URL. The Stegano exploit kit would use three Adobe Flash vulnerabilities (CVE-2015-8651, CVE-2016-1019 or CVE-2016-4117) to attack the user's PC, and forcibly download and launch into execution various strains of malware.

Posted
by
BeauHDon Tuesday December 06, 2016 @05:00PM
from the less-regulated dept.

An anonymous reader quotes a report from TmoNews: T-Mobile CFO Braxton Carter spoke at the UBS Global Media and Communications Conference in New York City, and he touched a bit on President-elect Donald Trump and what his election could mean for the mobile industry. Carter expects that a Trump presidency will foster an environment that'll be more positive for wireless. "It's hard to imagine, with the way the election turned out, that we're not going to have an environment, from several aspects, that is not going to be more positive for my industry," the CFO said. He went on to explain that there will likely be less regulation, something that he feels "destroys innovation and value creation." Speaking of innovation, Carter also feels that a reversal of net neutrality and the FCC's Open Internet rules would be good for innovation in the industry, saying that it "would provide opportunity for significant innovation and differentiation" and that it'd enable you to "do some very interesting things."

Posted
by
msmash
on Tuesday December 06, 2016 @01:00PM
from the design-war dept.

The Supreme Court on Tuesday sided with Samsung in its high-profile patent dispute with Apple over design of the iPhone. The justices said Samsung may not be required to pay all the profits it earned from 11 phone models because the features at issue are only a tiny part of the devices. From a report on Reuters: The justices in their 8-0 ruling sent the case back to the lower court for further proceedings. The decision gives Samsung another chance to try to get back a big chunk of the money it paid Apple in December following a 2012 jury verdict that it infringed Apple's iPhone patents and mimicked its distinctive appearance in making the Galaxy and other competing devices. The court held that a patent violator does not always have to fork over its entire profits from the sales of products using stolen designs, if the designs covered only certain components and not the whole thing.

Posted
by
msmash
on Tuesday December 06, 2016 @12:20PM
from the making-clear dept.

The US Supreme Court today will take up a case that will determine how much help an overseas manufacturer can get from the U.S. without running afoul of US patent laws. From a report on ArsTechnica: The case originates in a dispute between two competitors in the field of genetic testing. Both Promega Corporation and Life Technologies (selling through its Applied Biosciences brand) make DNA testing kits that can be used in a variety of fields, including forensic identification, paternity testing, medical treatment, and research. Promega licensed several patents to Applied Biosystems that allowed its competitor to sell kits for use in "Forensics and Human Identity Applications." The license forbade sales for clinical or research uses. In 2010, Promega filed a lawsuit in federal court, saying that Life Technologies had "engaged in a concerted effort to sell its kits into unlicensed fields," thus infringing its patents. A Wisconsin federal jury found that Life Tech had willfully infringed and should pay $52 million in damages. But the district judge overseeing the case set aside that verdict after trial, ruling that since nearly all of the Life Tech product had been assembled and shipped from outside the US, the product wasn't subject to US patent laws.

Posted
by
BeauHDon Tuesday December 06, 2016 @05:00AM
from the budget-cuts dept.

theodp writes: "2016 as a year of action builds on a decade of national, state, and grassroots activity to revitalize K-12 computer science education," reads the upbeat White House blog post kicking off Computer Science Education Week. But conspicuous by its absence in the accompanying fact sheet for A Year of Action Supporting Computer Science for All is any mention of the status of President Obama's proposed $4 billion Computer Science For All initiative, which enjoyed support from the likes of Microsoft, Facebook, and Google. On Friday, tech-backed Code.org posted An Update on Computer Science Education and Federal Funding, which explained that Congress's passage of a 'continuing resolution' extending the current budget into 2017 spelled curtains for federal funding for the program in 2016 and beyond. "We don't have any direct feedback yet about the next administration's support for K-12 CS," wrote CEO Hadi Partovi and Govt. Affairs VP Cameron Wilson, "other than a promise to expand 'vocational and technical education' as part of Trump's 100-day plan which was published in late October. I am hopeful that this language may translate into support for funding K-12 computer science at a federal level. However, we should assume that it will not."

Posted
by
BeauHDon Monday December 05, 2016 @10:30PM
from the drug-resistant dept.

An anonymous reader quotes a report from Reuters: A California state senator introduced a bill on Monday that would mandate reporting of antibiotic-resistant infections and deaths and require doctors to record the infections on death certificates when they are a cause of death. The legislation also aims to establish the nation's most comprehensive statewide surveillance system to track infections and deaths from drug-resistant pathogens. Data from death certificates would be used to help compile an annual state report on superbug infections and related deaths. In September, a Reuters investigation revealed that tens of thousands of superbug deaths nationwide go uncounted every year. The infections are often omitted from death certificates, and even when they are recorded, they aren't counted because of the lack of a unified national surveillance system. Because there is no federal surveillance system, monitoring of superbug infections and deaths falls to the states. A Reuters survey of all 50 state health departments and the District of Columbia found that reporting requirements vary widely. Hill's bill would require hospitals and clinical labs to submit an annual summary of antibiotic-resistant infections to the California Department of Health beginning July 1, 2018; amend a law governing death certificates by requiring that doctors specify on death certificates when a superbug was the leading or a contributing cause of death; and require the state Health Department to publish an annual report on resistant infections and deaths, including data culled from death certificates.

Posted
by
BeauHDon Monday December 05, 2016 @06:20PM
from the invisible-man dept.

An anonymous reader quotes a report from BleepingComputer: Google engineers are working on an improved version of the reCAPTCHA system that uses a computer algorithm to distinguish between automated bots and real humans, and requires no user interaction at all. Called "Invisible reCAPTCHA," and spotted by Windows IT Pro, the service is still under development, but the service is open for sign-ups, and any webmaster can help Google test its upcoming technology. Invisible reCAPTCHA comes two years after Google has revolutionized CAPTCHA technologies by releasing the No CAPTCHA reCAPTCHA service that requires users to click on one checkbox instead of solving complex visual puzzles made up of words and numbers. The service helped reduce the time needed to fill in forms, and maintained the same high-level of spam detection we've become accustomed from the reCAPTCHA service. The introduction of the new Invisible reCAPTCHA technology is unlikely to make the situation better for Tor users since CloudFlare will likely force them to solve the same puzzle if they come from IPs seen in the past performing suspicious actions. Nevertheless, CloudFlare started working on an alternative.

Posted
by
BeauHDon Monday December 05, 2016 @04:20PM
from the loading-bar dept.

An anonymous reader quotes a report from Ars Technica: Millions of Americans still have extremely slow Internet speeds, a new Federal Communications Commission report shows. While the FCC defines broadband as download speeds of 25Mbps, about 47.5 million home or business Internet connections provided speeds below that threshold. Out of 102.2 million residential and business Internet connections, 22.4 million offered download speeds less than 10Mbps, with 5.8 million of those offering less than 3Mbps. About 25.1 million connections offered at least 10Mbps but less than 25Mbps. 54.7 million households had speeds of at least 25Mbps, with 15.4 million of those at 100Mbps or higher. These are the advertised speeds, not the actual speeds consumers receive. Some customers will end up with slower speeds than what they pay for. Upload speeds are poor for many Americans as well. While the FCC uses 3Mbps as the upload broadband standard, 16 million households had packages with upload speeds less than 1Mbps. Another 27.2 million connections were between 1Mbps and 3Mbps, 30.1 million connections were between 3Mbps and 6Mbps, while 29 million were at least 6Mbps. The Internet Access Services report released last week contains data as of December 31, 2015. The 11-month gap is typical for these reports, which are based on information collected from Internet service providers. The latest data is nearly a year old, so things might look a bit better now, just as the December 2015 numbers are a little better than previous ones.